My IPTables Script

Live forum: /viewtopic.php?t=182

TheDanMan

08-11-2005 08:30:20

Am I doing anything stupid?



#!/bin/sh

set -e

PATH="/bin:/sbin:/usr/bin:/usr/sbin"

case "$1" in
start)
iptables -F
iptables -t nat -F

# Default Deny Policy
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Existing connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Localhost is always trusted.
iptables -A INPUT -i lo -j ACCEPT

# Allow SSH, WWW, DNS, WEBMIN, POP3, SMTP, IMAP2, HTTPS, FTP, GKRELLM
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 25 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 10000 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 110 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 113 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 143 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 993 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 995 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --syn --dport 10001 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
;;
stop)
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
;;
restart|reload)
"$0" start
"$0" stop
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
esac


robertngreen

08-11-2005 14:00:36

Doesn't look like you are doing anything dumb. Fairly strait forward and simple. I take it this is a web/mail/server not aciting as a router.

Athough instead of port numbers you can use names. Makes things a little easier to read. (ie http, pop3, imap, etc) You can find the offical names in /etc/services.

TheDanMan

08-11-2005 14:27:46

kewl kewl, thanks. Yeah I realize you can use names. I just prefer to use port numbers because I don't always remember the names ;-D

Oh and yes, it is a web/mail server.

gorshing

08-11-2005 14:35:30

I was curious if anybody has messed with the packet limits with iptables ... I mean with --limit and --limit-burst (I believe those are right).

Has anybody sent up a test network and tried a DDOS/DOS against a machine not using these limits and then again using the limits? I was just curious if it actually helps any.

Colleen

12-11-2005 10:57:02

I do some matching on limit in my scripts, but not for DDOS/DOS mitigation. What is effective against those kinds of attacks depends on the type of attack - SYN cookies can be used vs. SYN floods, there are various things you can do vs. UDP fragged packet floods, etc. However, if you've got a 3Mb Cox pipe and some malicious person is aiming 10Mb of crap traffic at you, you're screwed no matter what's in your iptables script because you can't get far enough upstream to filter the traffic.

- Colleen